> "Just as a reminder, there's currently no agreement in place between
> the MITRE CVE team and Red Hat that would let Red Hat assign a CVE ID
> for a public report in this way."
I spotted a security advisory come out from my team today which had no CVE
on it. What, how is that possible? We make a big deal about having
vulnerability identifiers on every vulnerability we fix in a Red Hat
security advisory, since we started doing this 15-odd years ago.
https://rhn.redhat.com/errata/RHSA-2015-2515.html
My team told me we'd fixed the same issue already in November in different
products.
A request for a CVE name went to oss-security in October, and repinged in
November just before the first advisory.
http://seclists.org/oss-sec/2015/q4/358
In the past we'd simply just take something our of CNA and ask for
forgiveness later, kind of like Kurt did for the issue in this thread.
I figure a security issue being fixed in Red Hat Enterprise Linux is
something that's going to get a CVE, no matter what reduced inclusion
criteria may apply (it's not even in an obscure component or some older
version, this is the latest RHEL and git)
We want to have a vulnerability identifier for every vulnerabilty we know
we're fixing. So that means we either keep pinging and calling
people at Mitre before any similar RHSA, or start to abuse our CNA powers,
or invent our own temporary CXX prefix for these.
Mark